According to documentation you have to pass a secret in TFS 2018 to powershell like this:
Param(
[string]$sauceArgument,
[string]$secretSauceArgument
)
Write-Host No problem reading $env:SAUCE or $sauceArgument
Write-Host But I cannot read $env:SECRET_SAUCE
Write-Host But I can read $secretSauceArgument "(but the log is redacted so I do not
spoil the secret)"
Passing it as string does not allow using the secret in credentials. I am only able to use it when I convert it via ConvertTo-SecureString -AsPlainText, which is supposed to be bad practise according to documentation:
$Secure_String_Pwd = ConvertTo-SecureString $secretSauceArgument -AsPlainText -Force
If I change the input type from [String] to [SecureString], I get this conversion error:
Cannot process argument transformation on parameter 'secretSauceArgument'. Cannot convert the "***" value of type "System.String" to type "System.Security.SecureString".
Does it really have to be converted at all? Does this mean using Secrets is bad practise?
Update to clarify my question: I am able to pass secrets into powershell. I am not able to use secrets as credentials (only via ConvertTo-SecureString -AsPlainText -Force which is bad practise).